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Abstract 

It is claimed in Phys. Lett. A by T. Nishioka et al. [327 (2004) 28-32] that the 
security of Y-00 is equivalent to that of a classical stream cipher. In this paper it is 
shown that the claim is false in either the use of Y-00 for direct encryption or key 
generation, in all the parameter ranges it is supposed to operate including those of 
the experiments reported thus far. The security of Y-00 type protocols is clarified. 
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A new approach to quantum cryptog- 
raphy called KCQ, (keyed communi- 
cation in quantum noise), has been 
developed [1] on the basis of a differ- 
ent advantage creation principle from 
that in either uncorrelated-classical- 
noise key generation [2] or the well 
known BB84 quantum protocol [3]. 
A special case called an (or Y-00 in 
Japan) has been experimentally in- 
vestigated and developed to a consid- 
erable extent [4,5,6,7,8] for direct en- 
cryption. In Ref. [9], the claim is made 
that Y-00 is equivalent to a classi- 
cal stream cipher, in particular that 
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the quantum noise is negligible, and 
thus also cannot be used for key gen- 
eration. This claim is justified by an 
"attack" that reduces the security of 
Y-00 to that of a standard stream ci- 
pher for the purpose of obtaining the 
data bits from observing the output 
of Y-00. In this paper, we will show 
that this claim is patently false. 

The main explicit claim in [9] is that 
their classical stream cipher, "Case 
2" , has the same security as Y-00, and 
so can be employed instead. We will 
refute this claim in connection with 
both data and key security (the latter 
is not even considered in [9]) , in di- 
rect encryption as well as in key gen- 
eration, and also show that their "at- 
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tack" is an ineffective one on Y-00. 

One basic error in [9] is the assump- 
tion that Y-00 with the parameters 
reported in [4,5,6,7,8] is reducible 
to their "Case 1" cipher for which 
Eq. (10) of [9] is valid without er- 
ror. Such error of course decreases 
with increasing coherent-state en- 
ergy, but it is trivial to claim that 
a coherent-state system is classical 
when the energy in the system is 
large enough as compared to all the 
parameters of the operating scheme. 
We have always qualified our own 
claim by saying that the coherent- 
state energy is "mesoscopic" . In the 
case of direct encryption parameters 
reported experimentally [4,5,6,7,8], 
the reduction of Ref. [9] results in a 
classical stream cipher in quantum 
noise with an error rate of ~1% , and 
has already been analyzed in detail 
by the Hirota group [10]. Further- 
more, even when the coherent-state 
quantum noise of Y-00 can in princi- 
ple be replaced by classical random- 
ization, such randomization makes 
Y-00 a random cipher. It is known 
that a random cipher may have bet- 
ter secret-key security compared to 
a classical stream cipher, such as 
"Case 2" of [9] , which is nonrandom. 

Another error made in [9] may arise 
from the incorrect claim made in [12]. 
This involves Fig. 4 of [9] and the dis- 
cussion around it pertaining to the 
use of Y-00 for key generation, with 
the key being used subsequently in a 
classical cipher. The protocol of Fig. 
4 is seriously incomplete for key gen- 
eration and is not one we intended or 
claimed to use. Before further elabo- 
ration on these errors in [9], we first 



briefly review the Y-00 scheme and 
remove a very common misconcep- 
tion about direct encryption versus 
key generation. 

Consider the original experimental 
scheme Y-00 as described in Ref. [4] 
and depicted in Fig. 1. Alice encodes 
each data bit into a coherent state 
in a qumode, an infinite-dimensional 
Hilbert space, of the form [11] 

\a e ) = \a (cos 6 e + i sin 6 e )) (1) 

where ao is real, 0£ = 2n£/M, and 
£ E {0,...,m - 1}. The M states 
are divided into M/2 basis pairs 
of antipodal signals {| ± ae)} with 
— a£ = a e+M / 2 . A seed key K of bit 
length | if | is used to drive a conven- 
tional encryption mechanism whose 
output is a much longer running 
key K' that is used to determine, 
for each qumode carrying the bit 
b{= 0, 1}, which pair {| ± ae)} is to 
be used. Bob utilizes a quantum re- 
ceiver to decide on b knowing which 
particular pair { | ± ae) } is to be dis- 
criminated. On the other hand, Eve 
needs to pick a quantum measure- 
ment for her attack in the absence 
of the basis knowledge provided by 
the seed or running key. The differ- 
ence in the resulting receiver perfor- 
mance is a quantum effect with no 
classical analog, and constitutes the 
ground for possible advantage cre- 
ation in the scheme. Note that since 
the quantum-measurement noise is 
irreducible, such advantage creation 
can result in an unconditionally se- 
cure key generation protocol. In con- 
trast, in a classical situation includ- 
ing noise, the simultaneous measure- 
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Fig. 1. Left: Overall schematic of the Y- 
with interleaved logical state mappings. 

ment of the amplitude and phase of 
the signal, as realized optically by 
heterodyning, provides the general 
optimal measurement for both Bob 
and Eve; thus preventing any ad- 
vantage creation under our approach 
that grants Eve a copy of the state 
for the purpose of bounding her in- 
formation. 

One needs to first distinguish the use 
of such a scheme for key generation 
versus data encryption. It may first 
appear that if the system is secure 
for data encryption, it would also be 
secure for key generation if the data 
are subsequently used as keys. This 
is indeed the view taken in Ref. [9] 
and Ref. [12]. It is unfortunate that 
the author of Ref. [12], a co-author of 
Refs. [4,5], made this conclusion that 
the direct encryption experiments in 
[4,5] would already allow key genera- 
tion inspite of our objections. In fact, 
for the direct encryption experiments 
in Refs. [4,5,6,7,8], we have only 
claimed complexity-based security 
against general attacks, with "un- 
conditional security" only against a 
very limited class of "individual at- 
tacks." The situation may be delin- 



00 scheme. Right: Depiction of M/2 bases 

eated as follows. Let X n , Y^, Y^ be 
the classical random vectors describ- 
ing the bit data of length n, Eve's 
observation, and Bob's observation. 
Eve may make any quantum mea- 
surement on her copy of the quantum 
signal to obtain Y® in her attack. In 
the case of a standard classical ci- 
pher, Y® = Y® = Y n , the following 
Shannon limit [13] applies 

H(X n \Y n ) < H(K) (2) 

and so there can be no fresh key 
generation. This is because all the 
uncertainty in X n is derived from K, 
however long n is. While H{X n \Y^) 
describes the level of information- 
theoretic security of the data X n 
against ciphertext-only attacks, 
H(K\Y^) describes the information- 
theoretic security of the key against 
ciphertext-only attacks with known 
a priori probability p(X n ), thus in- 
cluding known and chosen plaintext 
attacks in the case of degenerate 
p(X n ). See Ref. [14] and [1] for fur- 
ther discussion. In standard cryptog- 
raphy, one typically does not worry 
about ciphertext-only attack on com- 
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pletely random data, where Eq. (2) 
is usually satisfied with equality for 
large n for the designed key length 
| if | = H(K). Rather, it is attacks 
on the key with known nonuniform 
p(X n ), using information on K so 
obtained on future data, that is the 
focus of concern, as in the Advanced 
Encryption Standard (AES). 

The reduction of Y-00 to the classi- 
cal stream cipher of ref [9] consists in 
collapsing any observation to a sin- 
gle bit k, with the claim that, as de- 
scribed in Eq. (9)-(ll) of [9], 

li = Xi © ki (3) 

where Xi is the data bit [15] at the 
ith position of the data sequence, 
and ki is a fixed function of the run- 
ning key that determines the basis 
used for that position. Each Zj is or 
1 according to whether Eve's obser- 
vation on the ith qumode lies on the 
upper or lower half-circle with re- 
spect to the "horizontal" basis given 
by the all zero running key. However, 
Eq. (3) is not always true due to the 
quantum noise in Eve's measurement 
which sometimes pushes the mea- 
sured result to the wrong side of the 
horizontal line. From the intrinsic 
coherent-state angular uncertainty 
with a phase standard deviation of 
l/ao, an estimate of the bit error rate 

P b E ~ 2/(7ra ) (4) 

is simply obtained if one assumes 
that the measured state is uniformly 
distributed within a standard devi- 
ation only. In deriving Eq. (4) we 
have also used the fact that the 



(M/2) bases are selected with uni- 
form marginal probability for each 
qumode, which is a consequence of 
using, e.g., a LFSR for the ENC 
box of Fig. 1 with seed key length 
| if | > log 2 (M/2). This P b E is in 
rough agreement with the numer- 
ical calculations of ref [10], which 
includes the optimal quantum re- 
ceiver performance result for this 
"attack" via the optimal binary de- 
cision measurement. The resulting 
1% error means that for the pur- 
pose of attacking the data X n , the 
reduction is equivalent to a classical 
stream cipher with unknown K re- 
ceived in noise that causes 1% error 
in the output ciphertext. Thus, Y-00 
is not equivalent to a classical stream 
cipher, but rather to one in signifi- 
cant noise even in the experimental 
regime reported thus far. Indeed, not 
only do such errors invalidate the 
Shannon limit Eq. (2) for a standard 
stream cipher, they also create ad- 
vantage for the users and allow key 
generation in the usual fashion [2]. 
To see that the error rate of 1% is 
significant, note that it allows a sub- 
stantial key generation rate of 10 
Mbps for a raw bit rate of 1 Gbps, 
using privacy amplification [16] . The 
authors of [9] mistakenly omit the 
privacy amplification step required 
for key generation in their Fig. 4. 

On the other hand, a stronger attack 
may be launched on Y-00 by mak- 
ing a heterodyne measurement which 
retains all the log 2 M bits of output 
for each qumode. Under such an at- 
tack, the cipher becomes a classical 
random cipher in principle, satisfying 
Eq. (2) with the experimental param- 
eters of [4]. This is because the ex- 
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periments on the original Y-00 have 
parameters that satisfy 

H(X n \Y*,K)~0 (5) 

when the heterodyne measurement 
is made on each qumode by Eve. 
Under Eq. (5), Eq. (2) also obtains 
and the data security is no better 
than | if | as in all standard sym- 
metric key ciphers. Furthermore, in 
this regime, and under the hetero- 
dyne attack which is more powerful 
than that of [9], key generation with 
information-theoretic security is im- 
possible in principle, a point missed 
in ref [12] and in all the criticisms 
of Y-00 including ref [9] and ref [17], 
but was explicitly stated in the first 
version of ref [1]. This point is at 
least implicit in ref [4] where we said 
the experiment has to be modified 
for key generation. One simple way 
to break the Shannon limit Eq. (2) 
while protecting the key at the same 
time is to randomize (unkeyed) the 
state transmitted to cover the half- 
circle defined by the basis chosen by 
the running key, which we call DSR 
in [1]. Indeed, the resulting noise be- 
havior for Eve is similar to the 1% 
error neglected in ref [9], and is also 
the basis of advantage creation for 
key generation. Clearly, there is no 
room to go into any detail on such 
variations and extensions of Y-00 in 
this paper. 

Nevertheless, it is important to note 
that heterodyning by Eve does not 
reduce Y-00 to a classical stream ci- 
pher even under Eq. (5). Rather, it 
reduces it to a random cipher, i.e., 
a cipher with randomized encryption 



[18] so that 

H(Y n \X n ,K)^0, (6) 

which can be accomplished classi- 
cally in principle, but not in current 
practice. This is because true ran- 
dom numbers can only be generated 
physically, not by an algorithm, and 
the practical rate for such genera- 
tion is five to six orders of magnitude 
below the ~ Gbps rate in our ex- 
periments where the coherent-state 
quantum noise does the randomiza- 
tion automatically. Furthermore, our 
physical "analog" scheme does not 
sacrifice bandwidth or data rate com- 
pared to other known randomization 
techniques. There is an unexplored 
avenue with respect to a random ci- 
pher in that there is no proof that 
the key is not information-theoretic 
secure, i.e., that K can be pinned 
down by a long Y n via the unicity 
distance with known p(X n ) as in a 
non-randomized cipher [13,18,19], 
whether p(X n ) is degenerate or not. 
Indeed, it is known [20] that a spe- 
cific kind of randomized encryption 
can defeat any attack on the key 
when the source generates indepen- 
dent data bits with p(X = 0) ^ 1/2. 
Since the coherent-state quantum 
noise makes efficient high-rate ran- 
domized encryption possible in prac- 
tice in Y-00, it is indeed a quantum 
cipher in the important sense that an 
essential feature of the cipher arises 
from quantum noise. 

In this connection, we address the 
attacks described by Lo and Ko [17], 
which can be launched either when a 
long sequence of plaintext is known 
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or when the plaintext statistics are 
nonuniform. Therefore, they are not 
directly applicable to Y-00 used for 
key generation. These attacks can 
however be launched on a classi- 
cal cipher that uses the generated 
key, and the authors of [17] give an 
argument that reduces such an at- 
tack to a similar one directly on the 
data sent in the key generation step. 
However, this reduction is incorrect 
becuase, as in [9], the privacy am- 
plification step in the key generation 
stage is omitted. Furthermore, their 
attacks are impractical in that they 
require exponential loss or exponen- 
tially long input n— sequences [21] 
and exponential search. They also 
miss the distinction between ran- 
dom and non-random ciphers with 
regard to attacks on the key. Also, 
the Grover search attack desribed in 
[17] is claimed to break Y-00 because 
in the asymptotic n — > oo limit, 
the output states corresponding to 
different seed key values become or- 
thogonal. In addition to the subtle 
problem of orthogonality in a non- 
separable Hilbert space, it makes 
little cryptographic sense, even for a 
non-random cipher, to just look at 
the asymptotic n — > oo limit. Indeed, 
Shannon calls a system that is bro- 
ken only at n — > oo "ideal" [13,18]. 

The claimed "Case 2" non-random- 
cipher reduction of Y-00 in [9] has 
weaker security against attacks on 
the key compared to Y-00 due to the 
1% error that exists in the attack of 
[9] on Y-00. This error induces ran- 
dom errors on the actual bases or 
running key estimate, and may allow 
some information-theoretic security 
on K. Indeed, even under a general 



attack, the logical possibility is open 
that Y-00 is information-theoretic 
secure or at least Shannon "ideal". 
Even if such turns out not to be the 
case, the "Case 2" cipher still has less 
key security against known-plaintext 
attacks than Y-00 for the following 
reason. Any given classical nonran- 
dom cipher can be used as the ENC 
box in Y-00 which then provides an 
added layer of protection through 
the coherent-state modulation. Even 
under the heterodyne attack that 
utilizes the full state observation, 
one obtains the following brute-force 
key-search complexity corresponding 
to the number of possible running 
key sequences for large n, 

C ~ ( XM )W/'°e 2 (f) ( 7 ) 

where A = 2 for ciphertext-only at- 
tack(i.e. random data) and A = 1 for 
known-plaintext attacks. The esti- 
mate Eq. (7) is obtained by count- 
ing only the possible states within 
one standard deviation of the phase, 
which is actually an underestimate 
for large n. With our experimental 
parameters of M ~ 4 x 10 3 , o.q ~ 
2 x 10 2 , \K\ ~ 4.4 x 10 3 [8], one has 
C > 2 480 for A = 1, well beyond 
any conceivable classical or quan- 
tum search capability. Note that the 
Grover's search described in [17] suf- 
fers from a similar exponential lim- 
itation. This search is needed to at- 
tack the ENC box seed key from its 
output, which is absent for a nonran- 
dom classical stream cipher where 
the ENC output is uniquely specified 
in a known-plaintext attack. One 
may match the ENC cipher rate to 
the data rate in Y-00 by using a to- 
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tal of log2— different deterministic 
functions fi to operate on a given 
running key segment of /o^y bits 
to provide the bases for log 2 ^r data 
bits. Although this would lower the 
estimate Eq. (7) in general, under 
a known-plaintext attack a search 
complexity remains for pinning down 
the possible outputs of the ENC box 
whereas the output of the ENC box 
is uniquely specified for the "Case 
2" cipher. Note, however, that for 
ciphertext-only attacks on K (i.e. 
those for which the plaintext is ran- 
dom), a classical stream cipher can 
provide information-theoretic secu- 
rity. 

We briefly describe the possibility 
of key generation with the origi- 
nal Y-00 of Fig.l. The condition 
for information-theoretically secure 
fresh key generation is, in general 

H(X n \Y n E ,K)>H(X n \Y n B ,K). (8) 

In Eq. (8), Y r f is obtained from a 
quantum measurement without the 
knowledge of K. It is then used to- 
gether with any value of K to esti- 
mate the data X n . This necessary 
condition has to be supplemented 
with one on the key K security for 
defense against adaptive measure- 
ments, as discussed in [1], to make it 
sufficient also. This would require the 
extension of Y-00 in different possi- 
ble ways, such as DSR and CPPM 
described in [1]. However, against in- 
dividual attacks with a fixed qumode 
measurement, Eq. (8) is sufficient 
and can be readily seen to hold as 
follows. With S = |ct | 2 being the 
average photon number in the states 



(1), the bit-error rate for Bob with 
the optimum quantum receiver [22] is 



The bit-error rate for heterodyning, 
considered possible attack, is the 
well known Gaussian result 

A hct ~ \e~ s , (10) 

and that for the optimum-phase mea- 
surement tailored to the states in (1) 
is 

Pt ~ \e~ 2S (11) 

over a wide range of S. The difference 
between Eq. (9) and Eq. (11) allows 
key generation at any value of S if n is 
long enough. With a mesoscopic sig- 
nal level S ~ 7, one has P b ~ 10~ 12 , 
Pt ct ~ 10" 3 , P fe ph ~ 10~ 6 . For rea- 
sonable n, this contradicts the claim 
in [9] that quantum effects are neg- 
ligible until S < 1 + l/v 7 ^, as fol- 
lows. If the data arrives at a rate 
of 1 Gbps, Bob is likely to have 10 9 
error-free bits in 1 second, while Eve 
would have ~ 10 6 or ~ 10 3 errors 
in her 10 9 bits with heterodyne or 
the optimum-phase measurement 
(which has no known experimental 
realization). With the usual privacy 
amplification, the users can then 
generate ~ 10 6 or ~ 10 3 bits in the 1 
second interval by eliminating Eve's 
information. While these parameter 
values are not particularly remark- 
able and have not been experimen- 
tally demonstrated, they compare 
favorably with coherent-state BB84 
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schemes where S ~ 0.1 and a seri- 
ous beam-splitting attack for 3 dB 
loss also obtains that wipes out the 
quantum advantage (though not the 
post-detection selection advantage) 
Bob has even with intrusion-level 
detection. More significantly, Y-00 
illustrates the new KCQ principle of 
quantum key generation introduced 
in [1], that creates advantage via the 
difference between optimal quantum 
receiver performance with versus 
without knowledge of a secret key, 
which is more powerful than previous 
principles that rely on intrusion-level 
detection. 

In conclusion, the reduction of Y-00 
to a classical stream cipher claimed in 
[9] is incorrect for data bit encryption 
because it still suffers from coherent- 
state quantum noise for typical op- 
erating parameters. It weakens both 
the data and key security, possibly 
information-theoretically and cer- 
tainly complexity-wise. It is also in- 
applicable to fresh key generation 
because it does not recognize the 
seed key influence on the optimal 
quantum receiver performance and 
because it ignores privacy amplifica- 
tion. The principle underlying Y-00 
can be used in conjunction with ad- 
ditional techniques to obtain much 
more powerful advantage creation 
for key generation, as well as near 
perfect information-theoretic secu- 
rity for the data and the key in direct 
encryption against known-plaintext 
attacks. The detailed development 
has begun in [1] and will be presented 
elsewhere. 
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